Reset Search



How to use Real Capture to capture wireless and wired traces from an ExtremeWireless Access Point

« Go Back


TitleHow to use Real Capture to capture wireless and wired traces from an ExtremeWireless Access Point
How to use Real Capture to capture wireless and wired traces from an ExtremeWireless Access Point.
  • ExtremeWireless
  • IdentiFi
  • AP-36xx
  • AP-37xx
  • AP-38xx
  • AP-39xx
  • Firmware Revisions 8.01 or higher.
  • Real Capture
  • Sniffer
  • Trace Collection
Required equipment(s)/software:
  • Access Point
  • WireShark
Step-1: Configure the target access point by following the steps below:  
  1. Identify the target Access Point (AP) in the Controller GUI interface
  2. Note that access point's IP from it's Static Configuration (This information will be needed when configuring The Wireshark application)
  3. Go to the Advanced under AP Properties of the AP
  4. Set preferred duration of traffic capture (default is 300 seconds)
  5. Click Start 
Step-2: Configure The Wireshark Network Analyzer application ("Wireshark") to start capture from the remote host (i.e.: Access Point)
  1. Make sure the AP is reachable from the PC running Wireshark.
  2. Open WireSharkand click on Capture and then Options
  3. Click on Manage Interfaces button (located in the lower right corner of the main window)
  4. The Manage Interfaces window will open.
  5. Click on Remote Interfaces tab, then click "Add" ("+" button in lower left corner)
  6. Type the IP address of the target AP in the "Host:" box
  7. Leave the "Port:" box blank 
  8. Keep the default "Null authentication" radio button selected.
  9. Select the interface(s) you want to capture packets
Note: If you want to capture the wired port, make sure eth0 is checked off (selected). 
If you want to capture the radio (air) that the test client is on, check off wifi0 for Radio 1, or wifi1 for Radio 2. 
To determine what radio the test client is on, please view and locate the test client in one of the reports on the wireless controller such as "Clients by VNS".
  1. Start the packet capture
  2. Begin the test packet transmission on the suspect device
  3. End the packet capture upon completion of transmission and save the trace for further analysis.
Additional notes
  • The capture on wifi0 and wifi1 will not include internally generated hardware packets by the capturing AP. The capturing AP will not report its own Beacons, Re-transmission, Acks and 11n Block Ack. If this information is needed, then the real capture should be done from a close-by second AP. Change that second AP's wireless channel to match the AP that is being troubleshot. Let it broadcast an SSID so the radios switch on but do not broadcast the same SSID you are troubleshooting so that clients do not connect to your second capturing AP.

    In order to capture NULL and QOS_NULL packets with WireShark, do not set any Capture Filters and also disable "Do not capture own RPCAP traffic" in Remote Settings. 
    In v1.12.3 or above this option should be used on wireless captures every time you take a trace. 
    It is found by going to Capture --> Option --> Double Click Interface Row --> Remote Settings.
If a Macbook or Macbook Air is handy, you can take promiscuous WiFi captures with an application called Airtool.
How to capture wireless traces from a Macbook or MacAir

  • Troubleshooting tip: To capture packets over time if you are capturing something and not sure when it will occur, you can utilize multiple files and allocate a specific number of files/disk space to not overrun your remote capture device. 
    1. ​​​​​First SSH to the AP and run the command below to set a large amount of time for the capture to run.  This can only be set through the CLI. Syntax:
ccapture start 214748367
  1. On your capture PC configure Wireshark to capture multiple files and a certain amount of disk space. 
  2. Go to Capture Options --> Capture interface --> Output tab and select "Create New File automatically after..." 
  3. Configure a file name structure and select a file size and Select "Use a ring buffer with x files" .  
  4. Select a file size and number of files based on the amount of disk space you want to use.   The more files that can be saved increase the amount of time you will capture and the "window of time" you can catch any failure or traffic you are targeting.

A file size of 200mb and a ring buffer of 20 files will give you ~4gb of files and depending on the amount of traffic, you can adjust to the amount of time you need to capture. 
User-added image
Note:  Once your capture work is completed be sure to disable the real capture function on the Access Point. Syntax:

ccapture stop



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255